Main menu

Tor Browser Downloads Are Up in 2017

We love releasing new features and giving talks about where the Tor Network is going next. Still, it’s good to take stock every now and then, especially when we can share good news.

The Tor Metrics website provides all sorts of information about the Tor Network, including how fast the network is, or how many daily users it has. The Metrics team recently expanded the Metrics page with a Mozilla grant, strengthening the infrastructure used to collect data.

One of the things Tor Metrics measures is how many times Tor Browser has been downloaded, and we decided to investigate how the first six months of 2017 measures up to the same time last year. Data from Tor Metrics tells us there was a 1.4 million increase in the number of Tor Browser downloads in the first six months of this year, compared to the same period last year. In all, download numbers increased from 16.1 million to 17.5 million.

The more Tor, the better

More Tor is good for lots of reasons: it means that journalists, activists, and other privacy-conscious individuals are taking steps to evade internet censorship or stop websites from tracking them as they browse the web. An increase in the number of Tor Browser downloads could also be evidence of some new censorship event, when users circumvent internet censors to access online resources and communities.

Privacy protections rolled back by the US government in March gave ISPs free reign to collect and sell your private information. We’re delighted that more people are realizing that there’s an alternative to the pervasive tracking and surveillance that many websites, ISPs, and agencies carry out.

Tor makes every user look the same, and the diversity of our user base is part of what makes Tor strong. The more people who use the network, the better Tor’s anonymity.

Browser download numbers don’t tell us everything -- we have no way of knowing many of those downloads are repeat downloaders, or for how long they stay using Tor. Those would be privacy-invasive metrics, and we don’t gather such information. But we still think that this number is meaningful, and we’re glad to see it increasing.

When I see updates in Tails [Synaptic] for packages like "Tor", should I upgrade via the auto-configured .onion repositories? Or wait for the next release of Tails for it to ship with these updates? TIA

Someone from Tails Project please correct me ASAP if I am wrong about anything in my response to the following question:

> When I see updates in Tails [Synaptic] for packages like "Tor", should I upgrade via the auto-configured .onion repositories? Or wait for the next release of Tails for it to ship with these updates? TIA

As a long-time Tails user, according to my understanding, you should avoid regularly using synaptic at all while using Tails, and you should not try to upgrade anything from the Debian repos (or elsewhere). While Tails is based upon Debian stable, it features a rather delicate mix of reconfigurations and other tweaks which are intended to make Tails do one thing very well: serve as an "amnesiac" operating system, which is to say, to leave no trace in hardware after you end a Tails session. The other thing it does very well is anonymous browsing, and in the near future we hope it will do anonymous chat very well too. The danger in "upgrading" software in your Tails system via the Debian repos is that you might break something, causing your Tails system to leak information, which could be dangerous.

In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

Users of Whonix and other privacy-anonymity-enhancing operating systems should follow the advice of the developers of those systems regarding how and when to upgrade software.

Social justice advocates, civil libertarians and scientific/human-rights researchers who use both Tails (amnesiac OS) and Debian (non-amnesiac OS) tend to keep their Debian system offline except for software updates, and to use it for specialized purposes, but to use Tails for almost all interactions with the wider world. This provides little protection against "close-access" technical attacks leveraging stray electronic emanations, but our enemies may sometimes be reluctant to use anything they learn that way, in their ongoing attempts to retaliate against us, for fear of revealing their darkest methods to the entire world, so every little thing we can do to make ordinary methods (malware etc) hard for them can help us protect ourselves and our families from state-sponsored attack.

One configures according on his own needs : tail_cd is not built with only one profile in mind.

usually you should not use an old version especially on a live cd :
- repos is for downloading the stable & verified software , rarely for the last updated version.
- it is better to use the last version of tail & download the last version of tor (e.g.) from the project.site.

# In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

# you should absolutely use the onion repos.
- it is not recommended (outdated) : download Tor from torproject.org.
# updates, and upgrade your Debian system regularly via the onion repos.
- it is not recommended (default=stable=maintained): set hkps_debian source.
# check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos..
- it is not recommended (source-list/version) : configure the depo.

>> In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

Oops! I forgot to stress a very important point: if you use Debian as your non-amnesiac OS, you should certainly use the onion mirrors of the Debian repos to update your system, with the exception of Tor Browser, which you should replace with the latest version from torproject.org (make sure to use Debian gpg to check the detached signature of the tarball before you unpack it!) as soon as a new version becomes available (your Tor Browser will alert you when it notices that a newer version is available).

Actually, depending upon what is installed in your Debian system, there may be a few other things which you should update from non-Debian sources. Debian offers a nice script to check for debian packages which do not have ongoing support from the Debian security team, generally because critical bugfixes come too rapidly for Debian to keep up with them, so you should probably look for that and install it.

> However, I thought it was encouraged in Tails to update via the built-in .onion repositories?

You were? Maybe you have seen something from tails.boum.org that I missed, but if so can you cite the link?

I would welcome correction if I am wrong, but AFAIK Tails does *not* advise updating a Tails system from the Debian repos. If you were to do that, you would certainly want to use the onion mirrors while using Tails, but AFAIK the problem is that you might break something in Tails. For example, some of the versions of standard software included in Tails have config files tweaked by the Tails developers to prevent information leaks, or to prevent breaking other tweaks in Tails, and if you overwrote those, you could break something, which could be dangerous.

"You were? Maybe you have seen something from tails.boum.org that I missed, but if so can you cite the link?"

I don't recall reading anything about it. Maybe a warning should be added about this?

"Tails does *not* advise updating a Tails system from the Debian repos."

Thanks. FWIW, if it is *bad* to do this, perhaps the system could be [crippled] configured in a way so that updates are impossible? Otherwise, someone out there is going to do it. And we know how many people read websites and documentation!

"If you were to do that, you would certainly want to use the onion mirrors while using Tails,"

Which I was enjoying, but I I'll cease doing so within Tails.

"but AFAIK the problem is that you might break something in Tails. For example, some of the versions of standard software included in Tails have config files tweaked by the Tails developers to prevent information leaks, or to prevent breaking other tweaks in Tails, and if you overwrote those, you could break something, which could be dangerous."

Please update the bold font in this blog, "Tor" gets written as "TOR", essentially putting you under the same bucket as people "who haven't read any of our website (and have instead learned everything they know about Tor from news articles)" https://www.torproject.org/docs/faq.html.en#WhyCalledTor

Oops, my comment didn't render properly, anyway I said:
Hiro still has a small bit of work, there's still the <li class="menu-item-about-tor"...
and <li class="menu-item-about-donate" i.e. the "ABOUT TOR - DONATE" at the very top.

A few years ago I would use TOR occasionally to bypass the unauthorized content filtering (including a false positive blocking my employer) on my mobile phone. Then the UK's "Snooper's Charter" was introduced with all it's privacy problems even before the risk of hackers steeling and selling my data. Now the TOR browser is almost my default. Keep up the good work TOR people!

your article is nicely & friendly written but ...
- have you tried/used Tor before upload it ?
- 7.0.4 is broken
- there is an incompatibility between TBB & amnesia
- it is more an usa tool for usa guys in restricted area than an international open movement
- running a relay is reserved for the enterprise, firm, organization (hospital, transport/police station included) which provide a good & fast/modern bandwidth and do know manage their business contract/contact.
- as soon as i post (or run a relay as individual user) i am not anymore anonymous and they will come knock at the door, a day or an other, asking me their 10 000$ (that i saved during few years coin by coin).
Have a good day ( without eclipse for 100 years now).

- please define "amnesia", AFAIK it is, for example, the OS user name in Tails "the amnesic incognito live system". Tails 3.1 was released two weeks ago and integrates TBB 7.0.4 also (I read the announcement, didn't try it as yet but it should be safe to assume it rocks as usual)

- yes, the Internets remain far from a global network at planet scale, the scope of the problem is a lot wider than affecting just Tor, only half of human being are "somewhat" connected in "some way" to "something". Still, have you tried Tor Bridges?

- some individuals have published their experiences running relays and this post seems to target the millions of lucky ones who are nowadays connected via FTTH in the ranges of 2-50ms of latency and 50-1000 Mbps of bandwidth

The topic is Metrics :
not tail, not 704, not white & black fingers
[Tor Browser] 7.0.4 is broken : https-everywhere failed etc. if you installed it from the depo ; maybe it works on but (download = ok) 7.0.4 is broken. the next update will solve the issue.
if you are ; you & others bloggers:posters too lazy for doing your own research & bad educated (linux = educate yourself first) , no one can help you :
e.g whatisamnesia (on the tor blog it is very fun) ; douseonionsondebian (from atailuserwhohaveneveruseddebian lol) ; racisminamerica vs usingonions ; (ididnotknowthatthecolorofmyskinwasapassportforafreeusage).
i think that a forum or a Tor|Blog set in different language or translated pushing a button could solve a lot of misunderstood : in short ; are the comments relevant/related to the article :
Tor Browser Downloads Are Up in 2017 / Metrics.

Give us a break please, this is like in a cafe where some people chat and ask not-so-related questions because they're either lazy or confused about where to post them. At the same time, bar tenders appear to be out of it or in vacation or whatever, so they moderate stuff they should not and let trollesque thoughs go through.. Have a nice day!

Given that the Tor community tends to be more sympathetic with anarchic philosophies than some other communities, and given the fact that TP folk are busy with many critical issues more urgent than blog moderation, you probably should learn to accept a certain level of chaos in the blog comments.

That said, if Tor-related-but-not-post-topic-related comments bother you so much, why not join those who have suggested that TP follow the example of Bruce Schneier by posting on Fridays a blog post inviting users to ask/suggest anything (as long as it is Tor related or TP related)?

This could serve as a stop gap for providing feedback by anon channels until better technological solutions become available, while allowing people like you to avoid seeing OT topics, simply by skipping over the regular Friday blog.

anarchism is well understood where it lived & was born _ usa guys do not so i do not think that the blog was built with anarchic philosophies in mind and i thank them for their open mind.
That's solved 2 false arguments : yours.
your conclusion is wrong : i am not a moderator of the Tor|Blog so regulating the chaos is not my job.
Don't forget that ****** is usually maintained by volunteers , not to be confused with a post-sales customer service organization (and an UNO politic civil movement).

i like read the comments of the others but i do not want to be involved/manipulated ...the comment about racism was done on this topic because the last topic (tor support anti racism movement) was censored so it was really off-topic & spam.
Tail is a live operating system but recommended by Tor (a software/app) and the best place for discussing about Tail is certainly not on the Torblog ... you will not have the same support...

Usually , the users do not want to be known or become like an interference in the work or the life of the others. Posting, asking, providing some help/solutions and bringing few good responses is also that anybody can do (as linux user , it is like a reflex) easily.

some free chat (prism-break .org) and network , with the help of a large community, allow everybody to say everything without any risk of censure or bad reaction.

> anarchism is well understood where it lived & was born _ usa guys do not

If you are trying to suggest that anarchist movements are a recent development in the US, the historical facts do not support that claim. Between 1890 and 1914 several heads of states were assasinated by anarchists, including a US President. A few years later Wall Street was attacked by a horse-cart bomb (the scars from that bombing are still visible).

If you are trying to suggest that only the Russian political conciousness is informed by anarchism, that too is debatable: the libertarian movement in the US is heavily influenced by the writings of Ayn Rand, whose ideas have rather visible ties to contemporary Russian anarchists.

One of the most interesting anarchist treatises in recent years comes from a former UK diplomatic service member, which underlines the point that well-informed anarchists can be found in many countries.

I posted a serious question, about be(com)ing a more active user by running a relay, and how this involvment may be trashed or protected. It appears to have been moderated for a day. I know it may not appear as "100% positive energy" but it meant to be constructive. Please, would you dare to publish it? Thanks.

1. It is safe to do that from your home, assuming your home is not in a country where Tor is illegal.
2. You do not need a personal domain name. Tor relays work without them. Although, while not strictly necessary, it is often a good idea to get a reverse domain name if you are running an exit, though.
3. It depends on the ISP. Some are friendly toward Tor, others not so much. Most are fine with you running non-exit relays, though.
4. You can donate as little bandwidth as you want, but note that Tor will use as much bandwidth as is available, so you will have to set strict limits in the config file.

In previous Tor Project posts suggesting that enthusiasts run relays, this critical information has been missing, which is a pity because it is very hard or impossible to find elsewere at torproject.org site.

My bandwidth is probably too small to allow me to be on the internet myself and also to run a small relay node from home, but do you have a link to a suggested config for low bandwidth users in case I dare to experiment a bit? Most desirable would be the ability to run a relay when I am not using the Internet myself, but this could be problem if it interrupts someone else's Tor circuits. Would it be feasible to put code into the Tor client which tells existing circuits, so to speak, to create new circuits because the server is about to go down temporarily, or something like that?

most of free projects are volunteers projects & a banner is often on their site : paypal/bitcoin.

@Tor project people : "How to set up a Tor Relay on a Raspberry Pi" : it is not their job & raspberry is not a Torproject but if someone do wish write an article about that, why not ?

Tail project are on Tail site (contact them by e_mail) like raspberry how-to are on their one.
i do not understand _maybe a genius idea, maybe a confusion_ how a Tails project could run on a raspberry ? - sorry for my lack of intelligence ...a "tor"box can be used (pre-configured or set as relay and you will have support) : it is cheap, you buy one and plug it : done !

you will find on the raspberry site and others similar projects a lot of how-to & help (contact them by e-mail).

I have been using TOR as my main browser for half a year now, as well as changing my OS from Windows 7 to Linux. The viruses have gone right down to 1 from about a 50 a year in 8 months of a year. After the introduction of snoopers charter in the UK, my father has also decided to do the same, as he needs a new computer anyway, and he'll also (hopefully) be running a bridge relay for those in Russia who were recently banned from using TOR, VPN's and proxies

Metrics counts a negative/false value of the number of download.
- firefox & tor allowed the update of the addon : https-everywhere.
- https addon is broken in tor & in firefox.
- Use at your own risk.

FIX :
- uncheck update in 7.0.4
- Open "about:config" and set "browser.urlbar.trimURLs" to "false" in order to prevent the "http://" prefix from being omitted.

Sh*t happens (and it's not the end of the World), yes https-everywhere appears in bad shape.

But unchecking updates is IMMO, a bad idea. What is your source for this recommendation?

Instead, paying more attention while browsing could help, even more when entering data. For examples, looking at URL before you click them (they appear at the bottom left at mouse hoover), watching out for mix-content warnings, allowing javascript only when necessary.

Subsidiary question: would EFF/whoever in charge of HTTPS-E nowadays, be able to publish an emergency update (even if it meant a code revert to start with)? Looks annoying to many users, just guessing.

I assume the next version of Tor Browser will have a better fix, so it's probably a moot point anyway. I've never actually seen the issue, because the addon auto updater is disabled in the sandboxed variant for security reasons.

I just meant to ask if that could even be an option in that case, technically (a look at the ticket made me doubt), and if so, whether downstream/TB would value any such instant/short-life "update", generally. I know where they are, helped writing rules in HTTPS-E early days and trust you all to do the right thing™ anyway :)

I can see it's a moot point as you say, if indeed TB next fix-release is expected shortly, still it reminds me about e.g. past torbrowser-launcher issues in Debian repos, for example: also likely to have affected adoption rate (while it's the middle of holidays for kids and students in a large part of the connected world). I wonder how much your metrics can really tell about this, probably not much?

Every now and then, little things discourage privacy-concerned users who we had introduced TB and it's only when we ask them again how their usage goes, they tell us they had given up on it.

I did not expect anything (just like I said) and yes I bothered to read the ticket. Badly I suppose, hence my doubt and previous question about the feasibility of an HTTPS-E "regression-update". Testing their latest release would not hurt me anyway, so I did. FWIW, I'm (still) not complaining about anything at all. Have a nice day :)

Recent Updates

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.1-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by the end of the month.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below.

Changes in version 0.4.0.1-alpha - 2019-01-18

Major features (battery management, client, dormant mode):

When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335.

The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624.

There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used.

Major features (bootstrap reporting):

When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308.

When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884.

Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. Tor 0.3.4.10 and 0.3.3.11 are also released today; please see the official announcements for those releases if you are tracking older stable versions.

The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series.

There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them.

We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.)

Below are the changes since 0.3.5.6-rc. For a complete list of changes since 0.3.4.9, see the ReleaseNotes file.

Changes in version 0.3.5.7 - 2019-01-07

Major bugfixes (relay, directory):

Always reactivate linked connections in the main loop so long as any linked connection has been active. Previously, connections serving directory information wouldn't get reactivated after the first chunk of data was sent (usually 32KB), which would prevent clients from bootstrapping. Fixes bug 28912; bugfix on 0.3.4.1-alpha. Patch by "cypherpunks3".